General
-
Target
SecuriteInfo.com.Heur.15222.18660
-
Size
192KB
-
Sample
210309-jz8l9njecx
-
MD5
d3c7cfb10bf9afdd54b21b3a81aa4f88
-
SHA1
33ae344b6ef9b9af6ce3028d823a303045f1d902
-
SHA256
dcebef598b38647dc3f96a48d8bbddc3f4b1b45a92484ec15f4e3686ba559fcc
-
SHA512
d73e2e1a0626443b2d14478910e23ac146d9b68ff89e22dcbc56a504815e7b4bafe6e207d160dfbf487c7b49dfe27cc38072f61c2ba97bcfb6adde3dff8f3d8b
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Heur.15222.18660.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Heur.15222.18660.xls
Resource
win10v20201028
Malware Config
Extracted
http://gogorv.net/parseopml/intel.php
Extracted
trickbot
100013
rob72
103.225.138.94:449
122.2.28.70:449
123.200.26.246:449
131.255.106.152:449
142.112.79.223:449
154.126.176.30:449
180.92.238.186:449
187.20.217.129:449
201.20.118.122:449
202.91.41.138:449
95.210.118.90:449
-
autorunName:pwgrab
Targets
-
-
Target
SecuriteInfo.com.Heur.15222.18660
-
Size
192KB
-
MD5
d3c7cfb10bf9afdd54b21b3a81aa4f88
-
SHA1
33ae344b6ef9b9af6ce3028d823a303045f1d902
-
SHA256
dcebef598b38647dc3f96a48d8bbddc3f4b1b45a92484ec15f4e3686ba559fcc
-
SHA512
d73e2e1a0626443b2d14478910e23ac146d9b68ff89e22dcbc56a504815e7b4bafe6e207d160dfbf487c7b49dfe27cc38072f61c2ba97bcfb6adde3dff8f3d8b
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Templ.dll packer
Detects Templ.dll packer which usually loads Trickbot.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-